If a security breach results in sensitive customer details being stolen your business may be prosecuted by national authorities, penalized by standards bodies or sued by your customers. In the UK the Information Commissioner’s Office is using existing laws such as the Data Protection Act to take action against offending organizations if any security breaches are shown to be due to inadequate controls. And, in the financial industry, regulations and standards are being imposed on organizations compelling them to use effective security controls, and in some cases specifying the type of controls to use. For example, the Payment Card Industry Data Security Standards (PCI DSS) specify two-factor authentication ‘for remote access for all employees, administrators, and third parties’.
The main questions that need to be answered by organizations that have to comply with data protection regulations are:
- What information is stored on a system?
- Where is the information stored?
- Who can access the system?
- What can they access?
- Is the access appropriate?
Now, cloud computing providers can certainly tell you what information is stored on their systems, but where the information is stored is less certain because of the distributed and virtualized nature of public clouds. If this is an issue you will have to ensure that the provider you use is able and willing to work with you to provide, and prove, any data location restrictions you may have. As for the ‘who’, ‘what’ and ‘why’ questions about system access, in order to comply with data protection regulations, you may have to find out who the system and application administrators are; how they access the systems; and the policies that dictate how administrative security permissions are granted. The provider may also need to prove they can provide you with an audit trail based on detailed system access logs, if required.
As a minimum precaution, if your business has personal data records that are stored and moved around public clouds that cross international boundaries then you should ensure that your cloud provider – and any country where your data may be stored – adheres to the data protection principles contained in the Safe Harbour arrangement between the European Commission and the US Department of Commerce (http://epic.org/privacy/intl/EP_SH_resolution_0700.html).
At the dawn of the cloud computing era there were very few public cloud solutions that offered this level of data protection, but as the technologies mature they may become more standards-compliant. In the meantime you may have
to rely on the wording in service contracts to assist you with cloud compliance.